Big Safari & Kernel issues fixed in iOS 16.3.1, macOS 13.2.1 updates
Monday's software updates fix an array of security issues in macOS, iOS, and iPadOS, including one affecting Safari's WebKit that was being actively exploited.
Apple introduced small incremental updates across its software ecosystem on Monday, with iOS 16.3.1, iPadOS 16.3.1, and macOS 13.2.1 available to download by the public.
Following the release, Apple has published details about the security content of each update, with a lot of crossover between the three operating systems.
The first, a Kernel issue, impacts all three updates, and is described as one where "an app may be able to execute arbitrary code with kernel privileges. The fix addressed a "use after free issue" by adding "improved memory management.
Identified as CVE-2023-23514, the issue was declared by Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero.
The second, a WebKit problem, is listed as impacting all of the operating systems, as well as Safari itself. Under the issue, "processing maliciously crafted web content may lead to arbitrary code execution."
Apple adds that it is "aware of a report that this issue may have been actively exploited." It has since been fixed with "improved checks."
It is identified as CVE-2023-23529, and was found by "an anonymous researcher.
The last issue is for Shortcuts, and specifically affects macOS Ventura. Under the issue, an app "may be able to observe unprotected user data," which was fixed with "improved handling of temporary files."
CVE-2023-23522 was found by Wenchao Li and Xiaolong Bai of Alibaba Group.